Data Protection Officers (DPOs)
What Is a Data Protection Officer?
For those organizations that are required to appoint one, the data protection officer (DPO) is their point person for all GDPR-related matters. They monitor the organization’s compliance activities, and serve as the point of contact for data subjects and the data protection authorities. They also must be consulted when the organization is carrying out any data protection impact assessments.
The GDPR offers a few criteria that a DPO must meet:
- Has expert knowledge of data protection law and practices
- Has the resources necessary to carry out their responsibilities
- Reports directly to the highest level of management
- Is bound by confidentiality in the performance of their tasks
- Can be an employee or an outside contractor
Employees as DPOs
While an employee can serve as their company’s DPO, it is important that they remain completely independent and free from any conflicts. An employee who has to report to a supervisor in every other aspect of their job is not really independent, practically speaking. Executive officers, on the other hand, will generally have a conflict of interest whenever privacy concerns are not aligned with the company’s economic interests. Therefore, it is advisable in most cases to either hire an outside DPO or create a dedicated DPO position within your organization.
When Is a DPO Required?
The GDPR sets out three situations where an organization must appoint a DPO:
- The organization is a public authority or body
- The organization’s core processing activities require regular and systematic monitoring of data subjects on a large scale
- The organization’s core activities consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses
There are two key terms here: “regular and systematic monitoring” and “processing on a large scale.” The GDPR doesn’t provide precise definitions for either of them, but data protection authorities have offered some guidance.
Regular and Systematic Monitoring
Regular and systematic monitoring includes all forms of online tracking and profiling. Here are a few activities that are likely to be considered regular and systematic monitoring:
- Using targeted or behavioral advertising
- Email retargeting
- Profiling and scoring for purposes of risk assessment (credit scoring, for example)
- Location tracking
- Customer loyalty programs
- Video monitoring
- Tracking of health and fitness data through wearable devices
Large-Scale Processing
What constitutes large-scale processing varies by jurisdiction. Some nations have used fixed figures or portions of the overall population as thresholds. For example, the Czech Republic has defined it as the processing of the data of 10,000 people or more, while Germany set a threshold of 5 million (or 40% of a relevant population).
Other nations, such as Ireland and the UK, have a more subjective approach. In such jurisdictions, an organization should consider the following factors:
- The number of data subjects concerned
- The volume of personal data being processed
- The range of different data items being processed
- The geographical extent of the activity
- The duration or permanence of the processing activity
For example, a small doctor’s office probably isn’t processing data on a large scale, but a hospital probably is. A single retailer may not meet the criteria, but if they operate branches in multiple cities or countries, they should consider the question more carefully.